feat: INFRA-403 replace var extra_security_group_id with bastion_secu…

…rity_group_id
Ferlab-Ste-Justine · Aug 4, 2023 · 1de01a7 · 1de01a7
1 parent 73755f4
commit 1de01a7
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 13 deletions.
diff --git a/README.md b/README.md
@@ -32,7 +32,7 @@ The module takes the following variables as input:
 - **flavor_id**: The id of the vm flavor the postgres node will have.
 - **network_id**: Id of the network to connect the postgres node
 - **keypair_name**: Name of the keypair that will be used to ssh on the postgres node
-- **extra_security_group_ids**: List of extra security groups to assign beyond the one already assigned by the module (defaults to `[]`)
+- **bastion_security_group_id**: Id of pre-existing security group to add bastion rules to (defaults to "")
 - **postgres_image**: Docker image to launch the postgres container with
 - **postgres_params**: Additional command line parameters to pass to postgres when launching it
 - **postgres_data**: Path where to store the configuration and data files (defaults to `/data`)

diff --git a/main.tf b/main.tf
@@ -45,7 +45,7 @@ data "template_cloudinit_config" "postgres_config" {
 resource "openstack_networking_port_v2" "postgres" {
   name               = var.name
   network_id         = var.network_id
-  security_group_ids = concat(var.extra_security_group_ids, [openstack_networking_secgroup_v2.postgres_server.id])
+  security_group_ids = [openstack_networking_secgroup_v2.postgres_server.id]
   admin_state_up     = true
 }
 

diff --git a/security_groups.tf b/security_groups.tf
@@ -1,4 +1,3 @@
-
 resource "openstack_networking_secgroup_v2" "postgres_server" {
   name                 = "${var.name}-server"
   description          = "Security group for postgres server"
@@ -17,6 +16,10 @@ resource "openstack_networking_secgroup_v2" "postgres_bastion" {
   delete_default_rules = true
 }
 
+locals {
+  bastion_group_ids = [openstack_networking_secgroup_v2.postgres_bastion.id, var.bastion_security_group_id]
+}
+
 //Allow all outbound traffic for server and bastion
 resource "openstack_networking_secgroup_rule_v2" "postgres_server_outgoing_v4" {
   direction         = "egress"
@@ -44,12 +47,13 @@ resource "openstack_networking_secgroup_rule_v2" "postgres_bastion_outgoing_v6"
 
 //Allow port 22 traffic from the bastion
 resource "openstack_networking_secgroup_rule_v2" "internal_ssh_access" {
+  for_each          = { for idx, id in local.bastion_group_ids : idx => id }
   direction         = "ingress"
   ethertype         = "IPv4"
   protocol          = "tcp"
   port_range_min    = 22
   port_range_max    = 22
-  remote_group_id  = openstack_networking_secgroup_v2.postgres_bastion.id
+  remote_group_id   = each.value
   security_group_id = openstack_networking_secgroup_v2.postgres_server.id
 }
 
@@ -71,7 +75,7 @@ resource "openstack_networking_secgroup_rule_v2" "client_postgres_access" {
   protocol          = "tcp"
   port_range_min    = 5432
   port_range_max    = 5432
-  remote_group_id  = openstack_networking_secgroup_v2.postgres_client.id
+  remote_group_id   = openstack_networking_secgroup_v2.postgres_client.id
   security_group_id = openstack_networking_secgroup_v2.postgres_server.id
 }
 
@@ -80,31 +84,33 @@ resource "openstack_networking_secgroup_rule_v2" "client_icmp_access_v4" {
   direction         = "ingress"
   ethertype         = "IPv4"
   protocol          = "icmp"
-  remote_group_id  = openstack_networking_secgroup_v2.postgres_client.id
+  remote_group_id   = openstack_networking_secgroup_v2.postgres_client.id
   security_group_id = openstack_networking_secgroup_v2.postgres_server.id
 }
 
 resource "openstack_networking_secgroup_rule_v2" "client_icmp_access_v6" {
   direction         = "ingress"
   ethertype         = "IPv6"
   protocol          = "ipv6-icmp"
-  remote_group_id  = openstack_networking_secgroup_v2.postgres_client.id
+  remote_group_id   = openstack_networking_secgroup_v2.postgres_client.id
   security_group_id = openstack_networking_secgroup_v2.postgres_server.id
 }
 
 resource "openstack_networking_secgroup_rule_v2" "bastion_icmp_access_v4" {
+  for_each          = { for idx, id in local.bastion_group_ids : idx => id }
   direction         = "ingress"
   ethertype         = "IPv4"
   protocol          = "icmp"
-  remote_group_id  = openstack_networking_secgroup_v2.postgres_bastion.id
+  remote_group_id   = each.value
   security_group_id = openstack_networking_secgroup_v2.postgres_server.id
 }
 
 resource "openstack_networking_secgroup_rule_v2" "bastion_icmp_access_v6" {
+  for_each          = { for idx, id in local.bastion_group_ids : idx => id }
   direction         = "ingress"
   ethertype         = "IPv6"
   protocol          = "ipv6-icmp"
-  remote_group_id  = openstack_networking_secgroup_v2.postgres_bastion.id
+  remote_group_id   = each.value
   security_group_id = openstack_networking_secgroup_v2.postgres_server.id
 }
 

diff --git a/variable.tf b/variable.tf
@@ -27,10 +27,10 @@ variable "keypair_name" {
   type = string
 }
 
-variable "extra_security_group_ids" {
-  description = "List of extra security groups to assign beyond the one already assigned by the module"
-  type = list(string)
-  default = []
+variable "bastion_security_group_id" {
+  description = "Id of pre-existing security group to add bastion rules to"
+  type = string
+  default = ""
 }
 
 variable "postgres_image" {